ClawHub
Back to skill

Security audit

Pharma Intelligence

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a biomedical research helper, but it bundles broad web-request and file-saving capabilities that should be reviewed before installation.

Install only if you are comfortable with a research skill that can make broad outbound web requests and write raw API responses to local paths. Use it in a constrained workspace, avoid passing untrusted JSON inputs to the scripts, keep save_raw disabled unless needed, and only write raw outputs to a dedicated safe directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (68)

Tainted flow: 'raw_text' from requests.get (line 103, network input) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
raw_text = json.dumps(data, indent=2)
            path = Path(config["raw_output_path"] or "/tmp/ncbi-gene-search.json")
            path.parent.mkdir(parents=True, exist_ok=True)
            path.write_text(raw_text, encoding="utf-8")
            raw_output_path = str(path)
        total = data[0]
        codes = data[1] if isinstance(data[1], list) else []
Confidence
88% confidence
Finding
path.write_text(raw_text, encoding="utf-8")

Tainted flow: 'raw_text' from requests.post (line 285, network input) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
)
        path = Path(config["raw_output_path"] or "/tmp/opentargets-associated-diseases.json")
        path.parent.mkdir(parents=True, exist_ok=True)
        path.write_text(raw_text, encoding="utf-8")
        raw_output_path = str(path)

    if disease_filter and not filtered_rows:
Confidence
92% confidence
Finding
path.write_text(raw_text, encoding="utf-8")

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file defines a narrowly scoped bioRxiv/medRxiv metadata lookup skill, while the surrounding skill-slot metadata advertises broad pharmaceutical intelligence coverage. This mismatch can cause the orchestrator or user to invoke the skill for decisions it cannot properly support, leading to incomplete or misleading research outputs presented as comprehensive pharma intelligence.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This script is a fully generic HTTP client that accepts caller-controlled base URLs, paths, headers, parameters, and request bodies, enabling arbitrary outbound requests unrelated to the declared pharma-intelligence purpose. In an agent context, that materially expands capability into unrestricted network access, creating SSRF-like behavior, access to unintended internal or sensitive endpoints, and exfiltration pathways through arbitrary response handling.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code writes raw HTTP responses to a caller-supplied filesystem path with no path restrictions or sandbox checks. That enables arbitrary file write within the executing user's permissions, which can overwrite application files, drop data in sensitive locations, or stage persistence or data leakage depending on runtime privileges.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The URL builder explicitly accepts fully qualified http/https paths, allowing caller-controlled requests to arbitrary destinations instead of a constrained set of pharma or biomedical endpoints. In an agent skill context, this creates a generic network primitive that can be abused for SSRF, data exfiltration, internal service access, or use of the skill outside its declared purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The client allows arbitrary POST requests, caller-supplied headers, and arbitrary request bodies, turning a read-oriented research helper into a general-purpose HTTP client. That expands abuse potential from passive retrieval to authenticated actions against third-party services, request forgery, and easier exfiltration via custom headers or crafted payloads.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The raw response saver writes attacker-influenced content to an attacker-controlled filesystem path, which can overwrite arbitrary files accessible to the process or plant data in sensitive locations. Combined with arbitrary outbound requests, this can persist exfiltrated data locally, tamper with application state, or create follow-on risks if written into directories consumed by other components.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client accepts any absolute URL in `path` and otherwise concatenates caller-controlled `base_url` and `path`, enabling arbitrary outbound HTTP(S) requests. In a pharma-intelligence skill, this is more dangerous because the manifest implies narrowly scoped biomedical retrieval, but the implementation functions as a general network proxy that could be used for unrelated exfiltration, SSRF-style access to internal services, or policy bypass.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code permits both GET and POST and forwards caller-supplied headers directly into the session, which allows arbitrary authenticated or state-changing requests rather than read-only evidence retrieval. In this skill context, that capability exceeds the declared purpose and could be abused to send secrets in headers, impersonate clients, or interact with third-party APIs in unintended ways.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
`_save_raw_output` writes remote response bodies to a caller-controlled filesystem path, creating an arbitrary file write primitive within the permissions of the running process. That is dangerous because an attacker could overwrite application files, drop data in sensitive locations, or persist untrusted content locally, and the pharma-intelligence context does not justify unrestricted disk writes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
`_save_raw` writes API response data to a caller-controlled filesystem path with no directory restrictions or path validation. In an agent execution environment, this can overwrite arbitrary writable files, drop sensitive trial data in unexpected locations, or interfere with adjacent skill/runtime state, which exceeds the stated pharma retrieval purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script allows caller-controlled writes of raw API responses to any filesystem path via `raw_output_path`, with directory creation enabled. In an agent or skill runtime, this unjustified file-write primitive can overwrite application data, drop files in sensitive locations writable by the process, or persist potentially sensitive queried data outside the intended response channel.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The input parser explicitly exposes `save_raw` and `raw_output_path`, creating a persistence capability unrelated to the stated purpose of ClinVar/variation lookup and summarization. This expands the attack surface by letting untrusted input control whether API data is written locally and where it is stored.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script is a fully generic HTTP client that accepts caller-controlled base URLs, paths, headers, query parameters, request bodies, and an arbitrary raw_output_path for file writes. In an agent skill context, that creates SSRF-style outbound request capability and unrestricted local file write behavior that go well beyond the stated pharma-intelligence purpose, increasing the risk of internal network access, data exfiltration, and filesystem abuse if an attacker can influence inputs.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The SKILL.md declares an Ensembl-specific REST lookup tool, while the surrounding metadata indicates a much broader pharma-intelligence capability. This mismatch can cause incorrect routing, over-broad trust, or use of the wrong skill for regulated biomedical queries, leading to incomplete or misleading outputs in security- and safety-sensitive contexts.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script is a fully generic HTTP client: it accepts arbitrary base URLs, paths, headers, methods, parameters, bodies, and can persist raw responses to attacker-chosen file paths. In a skill intended for pharma/biomedical intelligence, that broad network and filesystem capability exceeds the stated scope and can be abused for SSRF-style access to internal services, unauthorized data exfiltration, or writing sensitive response content to disk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script accepts a user-controlled `query_path` and reads that local file with no directory allowlist or path restriction. In an agent environment, this can be abused to read arbitrary local files accessible to the process and exfiltrate their contents to the external gnomAD endpoint as the GraphQL `query`, which is unjustified for a biomedical search client.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script supports `save_raw=true` with a user-controlled `raw_output_path`, allowing arbitrary file writes anywhere the process has permission. Even though the written content is API JSON, arbitrary write capability can overwrite application files, poison logs, or persist sensitive remote data locally without need for the skill's stated read/search purpose.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata and actual implementation are materially misaligned: the surrounding manifest frames this as broad pharmaceutical intelligence, while the file only supports narrowly scoped GWAS Catalog REST queries. This can cause an orchestrating agent or user to over-trust the skill for regulatory, clinical, patent, pipeline, or multi-region questions and produce incomplete or misleading outputs based on a much narrower data source.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script is a generic REST client that can be repurposed far beyond the stated pharma/GWAS research scope. That mismatch weakens least-privilege assumptions for the skill and increases the chance it will be used as a general network primitive inside the agent environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
_build_url accepts fully qualified http/https URLs in the path, allowing callers to override the configured base URL and send requests to arbitrary external destinations. In an agent skill, this creates a strong SSRF/exfiltration primitive that can reach unintended services or leak data to attacker-controlled endpoints under the guise of normal skill execution.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The raw-response saving function writes untrusted remote content to a caller-supplied filesystem path with no directory restrictions. This can overwrite or create files in arbitrary writable locations, enabling local data clobbering, persistence artifacts, or unintended exposure of fetched sensitive data on disk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The helper accepts an arbitrary `raw_output_path` from input and later writes API results to that path, enabling a caller to create or overwrite files anywhere the process has permission. In a skill execution environment, this is more dangerous because the feature is unrelated to the core pharma lookup purpose and increases the chance of abuse for clobbering local files, planting misleading artifacts, or exfiltration staging.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script allows caller-controlled raw_output_path and writes remote response content directly to that path when save_raw is enabled. This creates an arbitrary file write primitive that can overwrite files the process can access, which is unnecessary for a PMC lookup helper and becomes more dangerous in an agent environment handling untrusted inputs.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal